2020 prioritization of cybersecurity & legacy modernization … · 2019. 9. 1. · nancy...
TRANSCRIPT
Transforming How Texas Government Serves Texans
2020 Prioritization of Cybersecurity & Legacy Modernization ProjectsJuly 14, 2020
Transforming How Texas Government Serves Texans
AGENDA
• Introductions• Background & Purpose• Content Overview• SPECTRIM Demonstration• Process & Submission• Q&A
Transforming How Texas Government Serves Texans
INTRODUCTIONS
Chief Technology Office• John Hoffman | Interim State CIO, Chief Technology Officer• Krishna Edathil | Director, Enterprise Solution Services• Robert Benejam | Enterprise Architect, Enterprise Solution Services
Office of the Chief Information Security Officer• Nancy Rainosek | State Chief Information Security Officer• Matt Kelly | Governance, Risk, & Compliance Program Manager
Transforming How Texas Government Serves TexansTransforming How Texas Government Serves Texans
John HoffmanNancy Rainosek
Overview & Purpose
Transforming How Texas Government Serves Texans
OVERVIEW
Section 2054.069, Government Code entitled Prioritized Cybersecurity and Legacy Systems Projects Report requires the Texas Department of Information Resources (DIR) to report on state agency cybersecurity projects and projects to modernize or replace legacy systems, as defined by Section 2054.571, Government Code to the Legislative Budget Board (LBB) no later than October 1 of each even-numbered year.
Transforming How Texas Government Serves Texans
STATUTE
Sec. 2054.069. PRIORITIZED CYBERSECURITY AND LEGACY SYSTEM PROJECTS REPORT. (a) Not later than October 1 of each even-numbered year, the department shall submit a report to the Legislative Budget Board that prioritizes, for the purpose of receiving funding, state agency:
(1) cybersecurity projects; and(2) projects to modernize or replace legacy systems, as defined by Section 2054.571.
(b) Each state agency shall coordinate with the department to implement this section.(c) A state agency shall assert any exception available under state or federal law, including Section 552.139, in response to a request for public disclosure of information contained in or written, produced, collected, assembled, or maintained in connection with the report under Subsection (a). Section 552.007 does not apply to information described by this subsection.Added by Acts 2019, 86th Leg., R.S., Ch. 509 (S.B. 64), Sec. 12, eff. September 1, 2019.
Transforming How Texas Government Serves Texans
PURPOSE
• The PCLS Project Questionnaire provides agencies with the opportunity to demonstrate the risks and potential impacts of not funding cybersecurity or legacy systems modernization projects.
• DIR will use the responses provided in the PCLS Project Questionnaire along with the Application Portfolio Management (APM) assessment responses of the business applications associated with the project in determining the project prioritization that will be sent to the LBB by October 1, 2020.
Transforming How Texas Government Serves Texans
BACKGROUND
2014• Legacy Systems Study, HB 1890 (84R)
2016• 1st PCLS (Reported for 85R)
2018• 2nd PCLS (Reported for 86R)• APM Assessments w/ IRDR
2020• 3rd PCLS ( Reporting for 87R)• PCLS Codified
Transforming How Texas Government Serves Texans
QUESTIONNAIRE COMPONENTS
• Part 1: General Information • Part 2: Associated Business Applications• Part 3: Cybersecurity Issues and Controls• Part 4: Legacy Issues • Part 5: Probability Determination • Part 6: Impact Determination
• Instructions Document
Transforming How Texas Government Serves Texans
General InformationPart 1 – All Projects
Krishna Edathil
Transforming How Texas Government Serves Texans
PART 1 – GENERAL INFORMATION
• 18-24 questions• Project Narrative• Project Type• LAR/Funding Information• Project Characteristics
Transforming How Texas Government Serves Texans
PROJECT TYPECybersecurity Projects must possess at least one of the following criteria:
►The project’s primary purpose must be improving the organization’s cybersecurity or enhancing the organization’s capability to identify, detect, protect, respond, or recover from cybersecurity threats and vulnerabilities.
►The project must have clear objectives that will improve the organization’s cyber maturity as measured in the biennial information security plan.
Legacy Modernization Projects must possess at least one of the following criteria:►The project’s primary purpose must be modernizing the agency’s legacy systems as defined in Sec. 2054.571, Government Code. “Legacy system" means a computer system or application program that is operated with obsolete or inefficient hardware or software technology.
►The project must also be intended primarily to support continued systems currency through monitoring the agency’s application portfolio and IT infrastructure.
NOTE: Projects for the 87th legislature are now either one or the other.
Transforming How Texas Government Serves Texans
Related Business ApplicationsPart 2 – All Projects
Robert Benejam
Transforming How Texas Government Serves Texans
PART 2 – RELATED BUSINESS APPLICATIONS
A Business Application name is the high-level label used by an agency to easily identify a group of functions provided by one or more systems to
accomplish the specific business needs of the agency.
A Business Application is typically a combination of integrated hardware and software (including data and applications), internally developed custom
systems, commercial off the shelf (COTS) applications, and/or customized third-party systems.
Transforming How Texas Government Serves Texans
PART 2 – RELATED BUSINESS APPLICATIONS
IRDR Inventory applicationsDetermine applications to
assess
APMComplete application APM
assessments as determined
PCLSAssociate applications to
relevant project questionnaires
Information Resources Deployment Review
March 31
Application Portfolio Management AssessmentsPrior to PCLS Submission
Prioritization of Cybersecurity and Legacy Systems ProjectsAgency LAR Due Date
Transforming How Texas Government Serves Texans
PART 2 – RELATED BUSINESS APPLICATIONS
All applications associated with a PCLS project must… 1. have an APM assessment completed within the last four years and2. have the required fields completed in the application record
Directly Related• the business applications related to the project are directly impacted by the project
(replaced, modernized, consolidated, improved, etc.).
Indirectly Related • the business applications that receive a secondary benefit from the project.
Transforming How Texas Government Serves Texans
PART 2 – RELATED BUSINESS APPLICATIONS
Transforming How Texas Government Serves Texans
Cybersecurity Issues & ControlsPart 3 –Cybersecurity Projects Only
Matt Kelly
Transforming How Texas Government Serves Texans
PART 3 – CYBERSECURITY ISSUES & CONTROLS
Cybersecurity Issues• Narrative of the existing issues, challenges, and future considerations concerning
cybersecurity as it relates to the project.
Cybersecurity Controls• Narrative of the current safeguards/countermeasures in place that would lower the
probability or lessen the impact of security incidents if the project is not funded.
What’s the problem?
How’s it handled now?
Transforming How Texas Government Serves Texans
Legacy IssuesPart 4 – Legacy Projects Only
Krishna Edathil
Transforming How Texas Government Serves Texans
PART 4 – LEGACY ISSUES
• 14-16 questions• Modernization Benefits• Cost-Benefit Analysis & Methodology• Modernization Scope (servers & software)• System Characteristics
Transforming How Texas Government Serves Texans
COST-BENEFIT ANALYSIS – BUSINESS CASE WORKBOOK
Transforming How Texas Government Serves Texans
COST-BENEFIT ANALYSIS – BUSINESS CASE WORKBOOK
Transforming How Texas Government Serves Texans
Probability & Impact Determination
Parts 5 & 6 –Cybersecurity Projects Only
Matt Kelly
Transforming How Texas Government Serves Texans
PART 5 – PROBABILITY DETERMINATION7 questions• Threat Capability• Incentive• Control Effectiveness• Control Reliability• Threat Event Frequency• Asset Exposure
8 questions• Reputational Impacts• Operational Impacts• Physical Impacts• Legal Impacts• Financial Impacts
PART 6 – IMPACT DETERMINATION
Prob
abili
ty
Impact
Transforming How Texas Government Serves Texans
SPECTRIM PCLS DEMOCollection Tool
Matt Kelly
Logging in
Navigation
Support Request
New PCLS Record
Delegating a Record
Transforming How Texas Government Serves Texans
Looking up Business Applications
Return to Existing Record
Submitting a Record
Exporting a Questionnaire
Transforming How Texas Government Serves Texans
SPECTRIM Accounts• Information Resources Managers (IRM) are responsible for completing PCLS
Questionnaires but may delegate to any active SPECTRIM users.
• Additional users can be requested and delegated to a PCLS questionnaire by the IRM (via support request or email [email protected]).
• Accounts must be active to receive system notifications.
• Inactive/Locked accounts cannot reset passwords themselves. If you don’t receive a pw reset email within 10 minutes, your account is probably inactive.
• Contact [email protected] to have inactive/locked accounts reactivated.
Transforming How Texas Government Serves Texans
SPECTRIM Portal Login
Portal Login: https://dir.archer.rsa.com
PW reset only works for active accounts.
Transforming How Texas Government Serves Texans
PCLS Dashboard
Select the PCLS workspace tab on the top banner to access the dashboard. If you do not see the tab, you may have to select the vertical ellipsis on the far right to view additional workspaces.
If the workspace is not available, contact [email protected] to check if you have the appropriate access rights.
Transforming How Texas Government Serves Texans
PCLS Questionnaire Record
Edit/View Mode Toggle
Delegate User Field LookupHelp Text Display Icon
Transforming How Texas Government Serves Texans
Temporary Issue Using Chrome v83
NOTE: if using Chrome v83 there is a potential issue with values lookup fields. You may have to close out if you receive a blank lookup box and try again a couple times, or use a different supported browser – Firefox, IE/Edge.
Transforming How Texas Government Serves Texans
Submission Process
Identify Applicable Projects
Determine Project Type
Identify Related Business
Applications
Ensure related applications have APM assessment < 4 years
Ensure required application fields
completed
Create PCLS Project Questionnaire
Determine who will fill out questionnaire
Determine if reviewer needed
Submit Questionnaire in
SPECTRIM
Submit PCLS Tracking Key with
LAR
Change SPECTRIM Status to “Submitted to
LBB”
Transforming How Texas Government Serves Texans
Questionnaire Statuses• Not Started – initial status indicating that the PCLS record has been created, but no questions have been completed.
• In Process with Submitter – questionnaire record has been saved, but content has not been submitted for next stage. The submitter or delegate can come back to the record and update responses in this stage.
• Awaiting Business Application Assessment(s) – the questionnaire has business applications associated in Part 2 that do not meet the required criteria to be included in the project questionnaire. Associated applications must have the required application fields completed (e.g. Mission Critical) and must have an APM assessment completed on the application within the last 4 years. The agency will need to either complete the required APM assessment(s) or exclude applications that do not meet the requirements to submit the questionnaire.
• In Process with Reviewer – indicates that the questionnaire record has been finalized by the submitter and is awaiting review. This stage will only occur if the submitter or delegate assign someone to the optional reviewer field. The reviewer will need to review the questionnaire record to approve or reject the questionnaire back to the submitter.
• Rejected by Reviewer / Re-Finalize – indicates the optional reviewer has rejected the questionnaire. The submitter or delegate will need to revise the questionnaire content and re-finalize to submit for review again.
• Awaiting Submission to LBB – indicates that the PCLS questionnaire has successfully been submitted to DIR via SPECTRIM. The record will questionnaire content will become read-only at this time. Once the PCLS Tracking Key has been submitted via the agency’s LAR, the submitter will need to return to the PCLS questionnaire record and update the “Project submitted to LBB with its PCLS Tracking Key” field to “Yes” and populated the “Date Submitted to LBB” field.
• PCLS Tracking Key Submitted to LBB – indicates that the PCLS questionnaire submission has been fully submitted to both DIR and LBB. Most of the record will become read only, but users may still update information about the project including Funding Status and Project Status.
• Not Submitted – Archived – indicates that the PCLS record was created during a previous legislative session and was not indicated as submitted to LBB. The record is read-only and may not be updated. If users want to submit the request for the 87th legislative session, they will need to create a new PCLS record.
Transforming How Texas Government Serves Texans
Assistance
• DIR will use the TX-IRM mailing list for primary communications.
• For general inquiries about PCLS content (e.g. question clarification, process questions) email [email protected].
• For support with the SPECTRIM portal (e.g. password resets, obtaining credentials) email [email protected] or open an archer support request from within the portal.
• PCLS Webpage: https://dir.texas.gov/View-Resources/Pages/Content.aspx?id=54
Q & A
Transforming How Texas Government Serves Texans
Thank Youdir.texas.gov
#DIRisIT@TexasDIR